Linux Security Fundamentals

Modifying User Accounts

Linux provides the [usermod] command to modify the properties of an existing user account. This command follows the same syntax as [useradd], however any parameters provided are used to modify the account.

Deleting User Accounts

The [userdel] command is used to delete user accounts. When a user account is removed, the users home directory is removed as well, along with any spooling print jobs and mail if the [-r] switch is used. It is very important to note that removing a user does not remove any files that user owns. Those files remain owned by the user even though the user does not exist. If you see the UID values in a directory listing, then those files belong to a user who has been deleted. If a new user is created with the same UID as the deleted user, that new user will assume ownership of those existing files. Thus, it is important to remember to either manually delete, or change the owner of any of a users files, after the user has been deleted from the system.

Creating Groups

Groups provide the same functionality in Linux as they do in Windows. Groups simplify the assignment of permissions, and thus reduce the number of direct changes that must be made to permisions. Group information is stored in the /etc/group file. Each group has a number, a name and a list of members. The member list is only displayed when a group has more than one member, otherwise you must check the properties of the user account to see which group the user is a member of. Groups are created with the [groupadd] command. Options that can be used with [groupadd] include the following:

-g: Allows you to specify the Group ID. If not supplied the GID will default to the next available number greater than 500.

-r: Creates a system group, which is a group with an GID less than 500.

-f: Forces the recreation of an existing group.

One important topic is “user private groups”. This optional configuration is turned on by default in most Linux systems. When user private groups are turned on, then anytime a user is created, a group of the same name is also created, with that group being the users’ primary group. Thus any files created by the user, are also owned by the users’ private group, and thus owned by the user.